libinject/cmp/

utils.rs

//! **Utility functions for fine-grained coverage collection:** Including functions to: wrap the
//! specified external symbols, extract partial match information from comparison operands, mutate
//! the AFL coverage bitmap, etc.

use super::Symbols;
use crate::{
    drcore::{self, get_proc_address, log},
    ffi,
    utils::{Boolean, ReadError},
};
use enum_iterator::all;
use spin::Mutex;
use std::{collections::HashSet, os::raw::c_void};
use std::{ffi::CStr, sync::LazyLock};
use std::{os::raw::c_char, ptr};

/// **HashSet of absolute addresses of functions that have been wrapped:** Used to prevent wrapping the
/// same function (in the same dll) twice. Since these are absolute addresses, the same symbol may
/// be wrapped in several different dlls, which is the desired behaviour.
static WRAPPED: LazyLock<Mutex<Option<HashSet<usize>>>> = LazyLock::new(|| Mutex::new(None));

fn push_wrapped(addr: usize) {
    let mut wrapped_fns = WRAPPED.lock();
    match wrapped_fns.as_mut() {
        Some(wrapped_set) => {
            wrapped_set.insert(addr);
        }
        None => {
            let mut wrapped_set = HashSet::new();
            wrapped_set.insert(addr);
            *wrapped_fns = Some(wrapped_set);
        }
    }
}

fn is_wrapped(addr: usize) -> bool {
    match WRAPPED.lock().as_ref() {
        Some(wrapped_set) => wrapped_set.contains(&addr),
        None => false,
    }
}

/// Called from WinAFL. Check if any of the compare symbols (defined in the `cmp::Symbols` enum) are exported by the module with base address `mod_base_addr`. Wrap all of the compare symbols that are found with their associated wrapper function.
#[unsafe(no_mangle)]
pub extern "C" fn wrap_compare_symbols(mod_base_addr: ffi::app_pc, mod_name_ptr: *const c_char) {
    unsafe {
        let mod_name = CStr::from_ptr(mod_name_ptr)
            .to_str()
            .unwrap_or("<UTF8-parse-err>");
        all::<Symbols>().for_each(|symbol| {
            if let Some(addr) = get_proc_address(mod_base_addr, symbol.to_str()) {
                if !is_wrapped(addr as usize) {
                    match ffi::drwrap_wrap(addr as *mut u8, Some(symbol.wrapper_fn()), None)
                        .as_bool()
                    {
                        true => {
                            log(&format!(
                                "[module load] wrapped {} in module {mod_name} @ 0x{:?}",
                                symbol.to_str(),
                                addr
                            ));
                            push_wrapped(addr as usize);
                        }
                        false => log(&format!(
                            "[module load] failed to wrap {} in module {mod_name} @ 0x{:?}",
                            symbol.to_str(),
                            addr
                        )),
                    }
                }
            };
        });
    }
}

/// Record coverage information for the comparison between the `n` bytes of data pointed to by `a`, and the `n` bytes pointed to by `b`. The coverage information is written to the coverage bitmap pointed to by `afl_cmp_area`, starting at `base_idx`.
///
/// Note that if `n > cmp::CMP_MAX_LEN` coverage information is only collected on the first
/// `CMP_MAX_LEN` bytes of the comparison.
pub unsafe fn compare_ptrs(
    fn_name: &str,
    afl_cmp_area: *mut u8,
    base_idx: usize,
    a: *const u8,
    b: *const u8,
    n: usize,
) -> Result<(), ReadError> {
    let aa = drcore::safe_read(a as *mut c_void, n)?;
    let bb = drcore::safe_read(b as *mut c_void, n)?;
    log(&format!(
        "[{fn_name}] comparing {n} bytes:\na: {:?}\nb: {:?}",
        aa, bb
    ));
    unsafe { Ok(write_coverage(afl_cmp_area, base_idx, &aa, &bb, n)) }
}

/// Calculate a suitable coverage-bitmap base index for the program address `app_pc`. The address
/// is hashed and masked to ensure it is within the bounds of the bitmap.
pub unsafe fn base_idx_of_app_pc(app_pc: *const u8) -> usize {
    unsafe {
        // Multiply by Knuth’s multiplicative hash and mask
        ((app_pc as usize).wrapping_mul(0x9E37_79B1) as usize)
            & (super::WINAFL_CMP_MAP_SIZE as usize - super::CMP_MAX_LEN)
    }
}

/// Record coverage information for the comparison between slices `a` and `b`. The coverage information is written to the coverage bitmap pointed to by `afl_cmp_area`, starting at `base_idx`.
///
/// Note that if `n > cmp::CMP_MAX_LEN` coverage information is only collected on the first
/// `CMP_MAX_LEN` bytes of the comparison.
pub unsafe fn write_coverage(afl_cmp_area: *mut u8, base_idx: usize, a: &[u8], b: &[u8], n: usize) {
    unsafe {
        unsafe fn incr_at_idx(afl_cmp_area: *mut u8, idx: usize) {
            unsafe {
                let p = afl_cmp_area.add(idx);
                // Saturating increment so bytes don’t wrap
                let val = ptr::read_volatile(p);
                if val < u8::MAX {
                    ptr::write_volatile(p, val.wrapping_add(1));
                }
            }
        }

        let truncated_cmp_len = super::CMP_MAX_LEN.min(n);

        for i in 0..truncated_cmp_len {
            let idx = base_idx + i;
            if a[i] == b[i] {
                incr_at_idx(afl_cmp_area, idx);
            } else {
                break;
            }
        }
    }
}

pub unsafe fn get_afl_cmp_area() -> Result<*mut u8, String> {
    unsafe {
        let drcontext = ffi::dr_get_current_drcontext();
        let thread_data = ffi::drmgr_get_tls_field(drcontext, super::winafl_tls_field);
        if thread_data.is_null() {
            return Err(
                "pointer to winafl coverage data (in thread-local storage) is null".to_string(),
            );
        }

        // Cast to a pointer to an array of pointers.
        let thread_data = thread_data as *mut *mut c_void;
        let afl_area = *thread_data.add(1) as *mut u8;
        if afl_area.is_null() {
            return Err("pointer to winafl bitmap (in thread-local storage) is null".to_string());
        }

        // Pointer to CMP partition of the bitmap (the partition begins at the end of the edge
        // coverage partition).
        Ok(afl_area.add(super::WINAFL_COV_MAP_SIZE as usize))
    }
}